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Abstract — Bidirectional relaying, where a relay helps two user 
nodes to exchange messages has been an active area of recent 
research. In the compute-and-forward strategy for bidirectional 
relaying, the relay computes a function of the two messages 
using the naturally-occurring sum of symbols simultaneously 
transmitted by user nodes in a Gaussian Multiple Access Channel 
(MAC), and the computed function value is forwarded to the user 
nodes in an ensuing broadcast phase. In this work, we consider 
the Gaussian MAC in bidirectional relaying with the messages 
taking values in a finite Abelian group and the relay computing 
the sum within the group under an additional secrecy constraint 
for protection against a honest but curious relay. The secrecy 
constraint is that, while the relay should decode the group sum, 
the individual message of each user should be perfectly secure 
from the relay. We exploit the symbol addition that occurs in 
a Gaussian MAC to design explicit modulations at the user 
nodes that achieve independence between the received symbols 
at the relay and each of the two individual transmitted messages 
under an average transmit power constraint. We provide a lattice 
coding strategy for reliable computation of the group sum at the 
relay with perfect secrecy, and study rate versus average power 
trade-offs in the large-dimension regime. Our results for secure 
compute-and-forward are significant because we achieve perfect 
security with finite average transmit power, and this has been 
done using a novel approach involving Fourier-analytic tools. 



I. Introduction 

Consider a network having three nodes: user nodes A, B and 
a relay node R. The nodes A and B wish to communicate with 
each other, but are connected only to R and not to each other 
directly. The node R acts as a bidirectional relay between A 
and B and facilitates communication from A to B and from 
B to A in the reverse direction. All nodes are assumed to 
operate in half-duplex mode (they cannot transmit and receive 
simultaneously), and all links between nodes are wireless 
Gaussian channels. Bidirectional relaying in such settings has 
been studied extensively in recent literature Q], lfl2l . 1161 , 

ma, ma. 

We use the compute-and-forward framework proposed 
in 11221 . |[T2l for bidirectional relaying, and we briefly describe 
a binary version for completeness and clarity. Suppose that A 
and B possess bits X and Y, respectively. We will assume 
that X and Y are generated independently and uniformly at 
random. The goal in bidirectional relaying is to transmit X to 
B and Y to A through R. To achieve this goal, a compute-and- 
forward protocol takes place in two phases as shown in Fig. [T] 
(1) The (Gaussian) multiple access or MAC phase, where 
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Fig. 1. Bidirectional relaying: (a)MAC phase, (b)Broadcast phase 



the user nodes simultaneously transmit to the relay, and (2) 
Broadcast phase, where the relay transmits to the user nodes. 
In the MAC phase, the user nodes A and B independently 
modulate their bits X and Y into real valued symbols U and 
V, respectively. The relay receives an instance of a random 
variable W, which can be modeled as 



W = U + V + Z, 



(1) 



where it is assumed that the links A — > R and B — > R have unit 
gain (normalized), Z denotes additive white Gaussian noise 
independent of U and V and communication is assumed to 
be synchronized. Using W, the relay computes the XOR of 
the two message bits, i.e., X © Y, and in the broadcast phase, 
encodes it into a real symbol which is transmitted to the two 
users over a broadcast channel. Note that A and B can recover 
Y and X, respectively, from X © Y. 

In a compute-and-forward bidirectional relaying problem 
such as the above, we study the scenario where an additional 
secrecy constraint is imposed on the relay R. Specifically 
we stipulate that, in the MAC phase, the relay remain fully 
ignorant of the individual bits X and Y, while still being 
able to compute the XOR X Y reliably. By "fully igno- 
rant", we mean that perfect secrecy is required at the relay, 
i.e., the received symbol at the relay should be statistically 
independent of the individual bits X and Y. One of the results 
of this article is that such a requirement for perfectly secure 
computation in the bidirectional relay can be met by average 
power constrained modulations at the user nodes. In fact, we 
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construct explicit modulation strategies for achieving both the 
secrecy and reliability objectives. 

The setting of secure bidirectional relaying in this article 
is an extension of the simple binary case described above. 
In general, we consider the case where the two users map 
their messages into random variables X and Y that take 
values independently and uniformly in a finite Abelian group 
G, and transmit them to the relay in d time slots with one 
symbol being transmitted in one time slot. The time slots are 
synchronized, and the relay, in each slot, receives the sum 
of transmitted symbols in that slot. The messages should be 
encoded so that the relay is able to compute X © Y reliably, 
where © now denotes addition over the group G, but remain 
ignorant of the individual messages X and Y i.e., the d 
received symbols at the relay are statistically independent of 
the individual messages X and Y. 

We show that the requirements that we have stated are 
reasonable and there exists a scheme to ensure perfect secrecy 
while providing protection against noise. We design explicit 
randomized modulation strategies at the nodes A and B for 
achieving the objectives of perfect security of the individual 
messages X, Y, and correct decoding of their sum X(BY at the 
relay R in the Gaussian MAC phase. Interestingly, we achieve 
perfect security using the addition operation of U and V in ([TJ, 
and this is an important novel contribution of our work. The 
tools used for achieving the objective of perfect security are 
characteristic functions and the Poisson summation formula 
from probability theory and Fourier analysis. For the noisy 
case, we provide a coding scheme based on nested lattice 
codes for perfectly secure and reliable group computation. We 
find that it is not possible to achieve perfect secrecy under a 
maximum power constraint, i.e, when the signal sets of the 
users are bounded. However, when the transmitted vectors 
are taken to be points of a lattice, with an average power 
constraint, it is possible to achieve perfect secrecy. This is of 
importance since in any communication system, the average 
transmit power is restricted. We also find that, for a given 
lattice, the average transmit power at each user cannot be made 
arbitrarily small, and we specify the minimum average power 
and the distribution on the transmitted symbols to achieve the 
same. 

Security against an eavesdropping two-way or bidirectional 
relay was considered in E5ll using friendly jammers that 
create a wiretap channel. Lattice codes have been proposed 
for Gaussian wiretap channels in |14|. Security for a network 
with several two-way relays arranged in a line with cooperative 
jamming was considered in f9i|, where a lattice-based scheme 
was proposed. In all of the above works, weak information- 
theoretic security (mutual information rate to eavesdropper 
tends to zero) has been used as a secrecy metric. In contrast, in 
this work, we achieve perfect secrecy i.e. the secret message 
is independent of the eavesdropper's received values. 

The rest of the article is divided into four main sections. In 
the Section[lIJ we formally describe the problem statement and 
state the main result. We then consider the noiseless setting 



take values from a finite Abelian group and are modulated 



to points in a lattice. In Section IV we study the case with 
additive white Gaussian noise, and describe a nested lattice 
coding scheme to achieve the same. Finally, in Section [V] 
we establish the existence of nested lattices that satisfy the 
requirements, and study the rate region that can be achieved. 

Notation 

We first describe the notation we will use throughout the 
paper. We denote the set of reals by K, the set of integers 
by Z. The number of elements in a finite set S is denoted 
\S\. Column vectors are denoted in boldface lower case, as 
in x, with the components denoted in normal font, e.g., x = 
[xiX2\ T ■ Matrices are represented in boldface uppercase, as in 
H. The Euclidean (L 2 ) norm of a column vector h is denoted 
by ||h||. The identity matrix of size M x M is denoted by Im- 
If X is a random variable, then H(X) denotes the entropy of 
X. Expectation over the random variable X is denoted by 
Ex(-)- The probability of an event A is denoted by Pr[A|. For 
random variables X, Y, the notation X _LL Y means that X 
and Y are statistically independent. 

II. Description of the Problem 

The general set-up is as follows: The user nodes, denoted 
by A and B, possess messages taking values independently and 
uniformly in a finite set. For the purposes of computation at 
the relay, the messages are mapped into random variables X 
and Y taking values in a finite Abelian group G. The mapping 
is such that the random variables X and Y remain uniformly 
distributed over G, and we will see later that this distribution 
helps in achieving secrecy. The addition operation in the group 
G is denoted ©. The messages X and Y are modulated 
into d-dimensional real valued random vectors u and v, 
respectively, and this is done by each user independently of 
the other. The modulated vectors are transmitted to the relay 
R simultaneously, and the relay receives an instance of the 
random vector w, given by 



w = u 



z, 



(2) 



in Section III and explain a randomized integer modulation 
scheme, for securely communicating the XOR of two user 
bits, which we then generalize to the case when the messages 



where z is a Gaussian random vector, with zero mean and 
covariance matrix <j 2 Id, with Lj being the d x d identity matrix, 
and + denotes componentwise real addition. We impose the 
following condition: the vector u + v received by the relay 
must be statistically independent of the individual messages 
X and Y. However, the relay must be able to reliably compute 
X © Y (where denotes addition within G) from the received 
vector. To summarize, we have the following requirements for 
secure computation: 

(51) (u,X) JL ( v ,y). 

(52) (u + v) _U_ X and (u + v) JL Y. 

(53) u + v almost surely determines X © Y, 

Since X and Y are chosen independently and uniformly over 
G, the random variables X © Y, X and Y are pairwise 
statistically independent. Therefore, if conditions (S1)-(S3) are 
satisfied, the relay has no means of finding the individual 
messages. Property (S3) ensures that the relay can decode 
X(&Y, which then can be encoded/modulated for transmission 
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over the broadcast channel. On reception of the broadcasted 
message, since user A (resp. B) knows X (resp. Y), it can 
recover Y (resp. X). 

The above conditions (S1)-(S3) ensure secure computation 
of X © Y at the relay. However, the messages must also be 
protected from corruption by the additive noise in the MAC 
channel. It is desirable to communicate X © Y to the relay 
with arbitrarily low probability of error. Moreover, practical 
systems are constrained in the average transmit power and the 
scheme must ensure that the messages are transmitted at the 
highest possible rate for a given power constraint. We will 
henceforth restrict ourselves exclusively to the MAC phase, 
since there is no security requirement in the broadcast phase 
and the relay can use a capacity-approaching code to broadcast 
X © Y to the users. In the MAC phase, our aim will be to 
ensure secure computation of X © Y, at the highest rate for 
a given power constraint at the user nodes. To make these 
notions formal, we have the following definition: 

Definition 1. For a positive integer d, a (d,N^) code for 
the MAC phase of the bidirectional relay channel with user 
nodes A, B and relay R (see Fig. ^and f^j consists of the 
following: 

1) Messages: Nodes A and B possess messages X and Y, 
respectively, drawn independently and uniformly from a 
finite Abelian group with = |G^>| elements. 

2) Codebook: The codebook, denoted by C, is a discrete 
subset of K d , and not necessarily finite. The elements 
of C are called codewords. The codebook consists of all 
those vectors that are allowed to be transmitted by the 
user nodes to the relay. 

3) Encoder:The encoder is a randomized mapping from 
G^ to R d , specified by the distribution $( d )(a|a;) = 
Pr[u = &\X = x] for all a £ C and x £ G (d) . The 
same encoder is used at both nodes, A and B. At node A, 
given a message X £ as input, the encoder outputs a 
codeword u £ C at random, according to Similarly, 
at node B, with Y as input, the encoder outputs v £ C. 
The encoding of X and Y are done independently. The 
rate of the code is defined to be 



R (d) = 



log 2 



(3) 



The code has an average transmit power per dimension 
defined as 



= ifiHull 2 = Je||v|| 2 . 



(4) 



4) Decoder: The relay R receives a vector w £ K^" 1 ' as given 
in (I2JL The decoder at the relay is a mapping 

that maps the received vector to an element of the 
set of messages. The average probability of error of the 
decoder is defined as 

77 (d) 4 E (Xiy) E z (Pr[^ d) (w) £ ai ®a 2 \X = a u Y = a 2 ] 

where E(x,y) an d E z denote expectations over the mes- 
sages (X,Y) and the additive noise (z), respectively. 



We say that a point (V,1Z) in the power-rate region is 
achievable with perfect secrecy if, for every e > 0, there 
exists a sequence of (d,N^) codes that satisfy conditions 
(S1)-(S3), and for sufficiently large d, satisfy 

v (d) < £i R (d) >U _ e p(d) <V + e . 

We will show that it is indeed possible to satisfy the above 
properties and there do exist (V,TZ) pairs, with V finite and 
1Z > 0, which are achievable. In other words, there exists 
a coding scheme for the Gaussian MAC phase which ensures 
secure computation of X®Y at the relay at positive rates, with 
finite average transmit power at the user nodes and arbitrarily 
small probability of error. In fact, the main result of this article 
is stated in the following theorem. 

Theorem 1. The point (V, \ \og 2 (V / {Ae 2 a 2 ))) in the power- 
rate region is achievable with perfect secrecy. 

The solution is developed in two steps. First, we develop a 
scheme for secure computation in the absence of noise. Since 
the noise is independent of all the other variables in the system, 
secure computation is still guaranteed even in the presence of 
noise. We extend the results to the case that includes additive 
white Gaussian noise, and show that the computation can be 
done reliably while achieving the above specified power-rate 
pair. 

III. The Noiseless Setting 

To get a clear picture as to how secure communication 
can be achieved, we first describe the binary case, i.e., the 
messages coming from {0, 1}, or equivalently, the set of 
integers modulo-2 (G = Z2), which are modulated to U, V, 
taking values in E. We will show that there exist distributions 
on U and V that permit secure computation defined by 
properties (S1)-(S3). This is somewhat surprising since we 
cannot have non-degenerate real valued random variables U, V 
that satisfy (U + V) _0_ U and (U + V) JL V, as shown in 
the following proposition: 

Proposition 2. Let U and V be independent real-valued 
random variables, and let + denote addition over K, Then, 
we have U + V _0_ U and U + V _0_ V iff U and 
V are constant a.s. (i.e., there exist a, b £ R such that 
Pr[U = a] =Pr[V = b] = 1). 

Proof: The "if" part is trivial, so let us prove the "only 
if" part. Let W = U + V, so that by assumption, U, V and 
W are pairwise independent. Let ipu, <fiv an d (pw denote 
the characteristic functions of U, V and W, respectively. In 
particular, tp w = ipu(p v . From U — W — V, we also have 
that ipjj = cpwWv> where Ipv denotes the complex conjugate 
of ifv- Putting the two equalities together, we obtain (pu = 
ipu\<pv\ 2 - To be precise, ipu(t) — <Pu (t)\<Pv (t)\ 2 f° r a U ' € R. 

Now, characteristic functions are continuous and take the 
value 1 at t = 0. Hence, (fu is non-zero within the interval 
[-<5,(5] for some S > 0. Thus, \ipv(t)\ = 1 for all t £ [-5,5]. 
By a basic property of characteristic functions (see Lemma 4 
of Section XV. 1 in [8|), this implies that there exists b £ M. 
such that (fiv{t) = e lbt for all t £ R, thus proving that V = b 
with probability 1. 
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A similar argument using V = W — U shows that U is also 
constant with probability 1. ■ 

A. Secure Computation of XOR at the Relay 

In this section, X and Y are independent and identically 
distributed (iid) uniform binary random variables (rvs), and 
X © Y denotes their modulo-2 sum (XOR). We describe a 
construction of integer- valued rvs U and V satisfying (SI)- 
(S3). 

1 ) Conditions on PMFs and characteristic functions: We 
first derive conditions under which integer-valued rvs U and 

V can satisfy properties (S1)-(S3) stated in Section [II] We 
introduce some notation: for k G Z, let pu(k) = Pr[U = 
k], p v (k) = Pr[V = k], and for a £ {0, 1}, let p v \ a {k) = 
Pr[U = k | X = a], p V \a{k) = Pr[V" = k | Y = a}. Thus, 
Pu = (l/2)(pt/|0 +Pu\i) and p v = (l/2)(p v \ +p V \t). 

Property (SI) is equivalent to requiring that the joint prob- 
ability mass function (pmf) of (U, V, X, Y) be expressible as 

Puvxy(k, I, a, b) = (l/2){l/2)p ula (k) Pvlb (l) (5) 

for k, I G Z and a,b € {0,1}. Without the requirement that 
U + V JL X and U + V JL Y, it is trivial to define U and 

V such that (S3) is satisfied: for example, take U — X and 

V = Y. Property (S3) is satisfied by any U, V such that 



Proof: Suppose that U and V are finitely supported Z- 
valued rvs. Then, <pu(t) and fv{t) are finite linear combina- 



tions of some exponentials e 



ik±t 



1 e 



ik n t 



Equivalently, the 



= for all odd k G Z, 
for all even k G Z. 



(6) 



Pe/|oO) =_Pv|oO) 

Finally, we turn our attention to (S2). We want (£/ + V) JL 
X and (Z7 + V) JL Y. Let us define, for k G Z, pr/+v(fc) = 
Pr[f7 + V = fc], and for a G {0, 1}, p[/+v|x=a(*0 = Pr[D" + 
V = k | X = a] and Pu+v\Y= a {k) = Pr[U + V = k \ Y = 
a}. Assuming {U,X) JL (V,"K), we have pu+v — Pu * Pv, 

PU+V\X=a = PU\a * PV, and Pu+V\Y=a = PU * PV\a> where 

* denotes the convolution operation. Thus, when (U, X) JL 
(V, Y), (S2) holds iff 

Pu * Pv = Pu\a * Pv = Pu * Pv\ a for a € {0, 1}. (7) 

It helps to view this in the Fourier domain. Let ipjj, ipy, 
(fiu\ a etc. denote the respective characteristic functions of 
the pmfs pu, py, pu\ a etc. — for example, ipu\a(t) = 
^ fcgZ P[/| (fc)e lfet . Then, (|7jl is equivalent to 

ipuW = ^u\a^v = Vu^v\a for a G {0, 1}. (8) 

Note that ip v = (l/2)(tp ul0 + tp^) and ip v = (1/2) (^|o + 
Vv|i). Hence, d8]l should be viewed as a requirement on the 
conditional pmfs pu\ a and p^|a> a G {0,1}- 
In summary, we have the following lemma. 

Lemma 3. Suppose that the conditional pmfs Pu\ a and Pv\ a > 
a G {0, 1}, satisfy [6 \ and ([s]). Then, the rvs U,V,X,Y with 
joint pmf given by {5) have properties (S1)-(S3). 

The observations made up to this point also allow us to 
prove the following negative result^ 

Proposition 4. Properties (S1)-(S3) cannot be satisfied by 
integer-valued rvs U, V that are finitely supported. 

'in fact, a stronger negative result can be shown — see Proposition 10 



real and imaginary parts of ipjj and tp v are trigonometric 
polynomials. Thus, either ipjj (resp. (p.y) is identically zero, 
or it has a discrete set of zeros. The former is impossible 
as (fiu{0) — w(0) = 1. Now, suppose that (SI) and (S2) 
are satisfied, which means that (|8]l must hold. The equality 
iputfiv = tpu^Pv\a in j8l implies that <p v \ a (t) = <Pv(t) for 
all t such that fu(t) 7^0- But since (pu(t) has a discrete set 
of zeros, continuity of characteristic functions in fact implies 
that ipyi a (t) = ifiv(t) for all t. An analogous argument shows 
that ipu\ a (t) = <pu(t) for aU t. Hence, U JL X and V JL Y. 
From this, and (SI), we obtain that U + V JL X © Y, thus 
precluding (S3). ■ 

Practical communication systems generally have a maxi- 
mum power constraint, which means that we would like to 
have U, V being finitely supported. But from Proposition |4] 
we see that it is not possible to have finitely supported U, V 
that permit secure computation. Therefore, in order to ensure 
secure computation, we will have to relax the criterion to an 
average power constraint on the user nodes. This means that 
we require finite-variance, integer-valued random variables 
U,V, with infinite support, that satisfy properties (S1)-(S3), 
or equivalently, the hypotheses of Lemma [3] 

We now give a construction of U, V that satisfy the hy- 
potheses of Lemma [3] To do this, we rely upon methods and 
results from Fourier analysis. The key tool we need is the 
Poisson summation formula, which we briefly recall here. Our 
description is based largely on Section XIX. 5 in |8|. 

B. The Poisson Summation Formula 

Let i/j be the characteristic function of a real-valued random 
variable X, such that /_ \ip(t)\dt < oo. In particular, ip is 
continuous and ^>(0) = 1. Since ip is absolutely integrable, the 
random variable X has a continuous density /. The Poisson 
summation formula [8, Chapter XIX, equation (5.9)] states 
that for any T > and s G E, we have for all (eR, 

oo 

tp{( + 2nn/T)e- ts{2n * /T) 

n— — oo 

oo 

= T f{kT + s)e l{kT+sK , (9) 

k— — oo 

provided that the series on the left converges to a continuous 
function *(C). Note that *(0) = TJ2T=-oc f(kT+s), which 
is a non-negative quantity. If ^(0) ^ 0, then dividing both 
sides of ^ by vp(0) yields the important fact that *(^)/*(0) 
is the characteristic function of a discrete random variable sup- 
ported within the set {kT + s : k G Z}, the probability mass at 
the point kT+s being equal to f{kT+s)/ J2T=-oo f(kT+s). 

A special case of interest is when ip is compactly supported. 
Let T > be such that ip(t) = whenever |i| > w/T. It is 
straightforward to see that the series on the left-hand-side of 
^ converges to a continuous function ^, and that ^(0) = 
ip(0) = 1. Indeed, the series may be written as e^^C), 
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where 



*(0 



E 



iP{C + 2nn/T) e-MC+arwr/T). 



Note that is periodic with period 2tt/T. In fact, 4> is simply 
the periodic extension, with period 2n/T, of ip(t)e~' lst . Now, 
t/> (being a characteristic function) is continuous, and hence, 
so is ty. We conclude that \&(C) = e^Vf^C) is a continuous 
function. Furthermore, \&(0) = ip(0) = 1, From this, we 
infer that is the characteristic function of a discrete rv, 
as explained above. In fact, by plugging in £ = in ^ 
we obtain that ^f(O) = T^2 k f(kT + s), which shows that 
J2k f(kT+ s) = 1/T. For future reference, we record this in 
the form of a proposition. 

Proposition 5. Let tp be a characteristic function such that 
ip(t) = whenever \t\ > tt/T for some T > 0, and let f be 
the corresponding probability density function. Then, for any 
s £ R, the function ^ : K — > C defined by 



*(0 



is f/ze characteristic function of a discrete random variable 
supported within the set {kT + s : fc € Z}. 77ie probability 
mass at the point kT + s is equal to Tf(kT + s). 

It should be noted that compactly supported characteristic 
functions do indeed exist — see e.g., [8, Section XV.2, 
Table 11. Bl. Hl9l . We also give an explicit construction after 
the proof of Theorem [7] in the next subsection. 

We will also need a multi-dimensional version of the Pois- 
son summation formula (see e.g., EOl Chapter VII, Section 2]). 
It is more natural to express this in terms of lattices, for 
which we first establish some terminology and notation. For 
a more detailed description of lattices and related definitions, 
see e.g. 0, 0. 

Fix an integer d > 1. Let A be a rank-d lattice in R d , and 
let A be a non-singular dx d matrix whose rows form a basis 
of A, i.e., A = A T Z d := {A T k : k £ Z d }. The matrix A is 
called a generator matrix for the lattice A. The determinant of 
A, denoted by dct A, is defined to be | det A|. It is a standard 
fact that the determinant does not depend on the choice of the 
generator matrix A. 

The dual lattice A* is defined as A* = {x £ R d : (x, z) £ 
Z for all z £ A}. It is not difficult to check that A* = kr Xr L d . 
We will call 27rA* := {27rx : x £ A*} the Fourier dual lattice 
of A, and denote it by A. 

Let ip : R d — s- C now be the characteristic function of 
an M d -valued random variable, such that L d |^(t)|dt < oo. 
Let the corresponding density function be / : R d —> K. The 
Poisson summation formula in R d can be expressed as follows: 
for any s £ M. d , we have for all £ £ M d , 



n£A 



V'(C+n)e- l<n ' s> = (detA)V /(k+s)e I<k+s ' C> , (10) 



keA 



provided that the series on the left converges to a continuous 
function ^(C). It should be pointed out that texts in Fourier 
analysis typically state the Poisson summation formula for an 




-n -nil D 7i/2 7t 
Fig. 2. A generic characteristic function supported on [— 7r/2, 7r/2]. 

arbitrary L 1 function /, and would then require that / and 
ip decay sufficiently quickly — see e.g., ||20l Chapter VII, 
Corollary 2.6] or E] Eq. (17.1.2)] — for (fTU| to hold. However, 



as argued by Feller in proving ([9]), in the special case of a non- 
negative L 1 function /, it is sufficient to assume that the left- 



hand-side of (10 1 converges to a continuous function ^(C)- 

lid 



For a lattice A in 

V(A) ={x€l d : 



let 



x < x- 



z|| for all z e A, 0}, 
(11) 

where || • || denotes the Euclidean (L 2 ) norm, be the interior of 
the Voronoi region of A around the point 0. In words, V(A) 
is the set of points of R d for which is the unique closest 
point of the lattice A. The following <i-dimensional extension 
of Proposition [5] follows easily from (10 1. 

Proposition 6. Let A be a rank-d lattice in R d . Let ip : R d — » 

C be a characteristic function such that ip(t) = for all t (£ 
V(A), and let f : M. d — > K be the corresponding probability 
density function. Then, for any s £ M. d , the function ^ : R — > 



defined by 



*(0 = ]>>(C + n) e - 



i(n, s) 



n£A 



is the characteristic function of a random variable supported 
within the set A + s := {k + s : k £ A}. The probability mass 
at the point k + s is equal to (det A) /(k + s). 

C. General Construction 

We now describe the construction of integer-valued random 
variables that satisfy (S1)-(S3). Let ip be a characteristic func- 
tion (of a continuous random variable X) with the properties 
that 

(CI) ip{t) = for \t\ > it/2, and 

(C2) ip{t) is real and non-negative for all t £ Ejj 
Note that since ip is real-valued, it must be an even function: 
iP(-t) = ip(t) for all t £ R. Also, ip(0) = 1. Since ip 
is integrable over K, by the Fourier inversion formula, the 
random variable X has a continuous density /. Note that 
Proposition |5] holds for T < 2. 

A generic such ip is depicted in Figure [2] As a specific 
example (see Table 1 of Section XV.2 in 111), a random 
variable with density function 



/(*) 



^#^(1 - cos7rx/2) 



if x = 
if x ^ 



(12) 



2 There is no loss of generality in imposing this requirement. Suppose that 
a random variable X has characteristic function if), which is complex-valued 
in general. Let Xi,X^ be iid rvs with the same distribution as X. Then, 
X\ — X2 has characteristic function ip'ip = \ip\ 2 . 
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-jt -nil Jt/2 

Fig. 3. ip(t) = max{0, 1 - 2\t\/ir}. 




-3u -5jt/2 -2n -3%I2 -it -it/2 rt/2 it 3it/2 2ji 5it/2 3rc 
Fig. 4. Period-27r extension of generic ip from Figure [2] 




-3rt -5re/2 -2re -3n/2 -It -It/2 It/2 It 3lt/2 2lt 5lt/2 3n 




Fig. 5. The periodic functions <po and if>% derived from ip. 



has characteristic function 



f(x) e ltx dx = max{0, 1 - 2\t\/ir}. 



Figure [3] shows a plot of this characteristic function. 

Reverting to our generic characteristic function tp, let tp 
be the periodic function with period 2ir that agrees with 
tp on [— 7r, 7r], as depicted in Figure [4] Note that tp(() = 
Y^L-oc tp((+2nn). Thus, applying Proposition p] with T = 1 
and s = 0, we find that ^ is the characteristic function of an 
integer-valued random variable, with pmf given by 

p(k) = f(k) for all k G Z. 



(13) 



Next, for s = 0, 1, define (£> s as follows: for £ e M, 

OO 



n— — oo 



It is easily seen that tpo is the periodic extension of tp with 
period ir, i.e., tpo is the periodic function with period tt that 
agrees with tp on [— 7r/2, tt/2], as depicted at the top of 
Figure [5] for a generic ?/> shown in Figure [2] 

On the other hand, ipi is periodic with period 2ir: its graph 
is obtained from that of tpo by reflecting about the £-axis every 
second copy of tp, as depicted at the bottom of Figure [5] 

Applying Proposition [5] with T = 2 and s <E {0, 1}, 
we get that tpo and (pi are characteristic functions of rvs 
supported within the even and odd integers, respectively. The 
pmf corresponding to (po is given by 



Po(k) 



!2f(k) if k is an even integer 
otherwise. 



(14) 



and that corresponding to ipi is 

hf(k) 

1° 



Pi(k) 



if A; is an odd integer 
otherwise. 



(15) 



From (13 I— (15 1, we have p(k) = h(po(k) + pi(k)) for all 



k e Z. 

Finally, note that since (po(t) and <f\(t) differ from <p(t) 
only when ip(t) = 0, we have 



(16) 



We can now prove the following theorem. 



Theorem 7. Let X,Y be iid Bernoulli (1/2) rvs. Suppose that 
we are given a probability density function f : R — > M + 
with a non-negative real characteristic function tp such that 
^(*) = Ofor \t\ > tt/2. Set p ul0 = p v]0 = p and p v \ x = 
Pv\i = Pit where pq and p\ are as in (14\ and 15 L Then, 



the resulting Z-valued rvs U and V satisfy properties (Sl)- 
(S3). Additionally, the rvs U and V have finite variance iff 
ip is twice differentiable, in which case the variance equals 

-V/'(o). 

Proof: From the given characteristic function tp, deter- 
mine the associated probability density / via Fourier inversion: 



i 

2V 



iP(t)e 



dt. 



Define the pmfs po and p\ as in (|T4ji and (15i. Set Pu\q = 
Py|o = Po and Pu\i = Pv\i = Pi~This implies that p v = 
pv = p, where p is as defined in ( [13) . 

Clearly, (|6]l holds. To verify (|8j, note that, by virtue of ( 16 1, 
we have for a £ {0, 1}, 



But, by construction, ipu<Pv\a = <Pv<Pu\a = Wa- 

Therefore, by Lemma [3] the random variables (U, V, X, Y) 
with joint pmf given by (pi) have the properties (S1)-(S3). 

It remains to prove the last statement in the theorem. This 
follows from the fact |8, pp. 512-513] that a probability 
distribution F with characteristic function \ nas finite variance 
iff x is twice differentiable; in this case, x'(0) = and 
x"(0) = —^2> where /i and fi2 are the mean and second 
moment of F. Thus, the pmf p under consideration has finite 
variance (to be precise, the distribution specified by p has finite 
variance) iff tp is twice differentiable. By construction, <p is 
twice differentiable iff tp is twice differentiable. In this case, 
as tp is real, so is p'(0), which implies that p has zero mean. 
Hence, the variance of p is equal to its second moment, and the 
final assertion of the theorem follows, since <p"(0) — ip"(0). 



Based on Theorem [7] secure computation of XOR at the 
relay works as follows: the nodes A and B modulate their bits 
independently to an integer k, with probability po(k) (from 
(14i) if the bit is 0, or with probability pi(k) (from (15i) 
if the bit is 1. The probability distributions can be chosen 
such that the modulated symbols have finite average power. 
The average transmit power is equal to the variance of the 
modulated random variable, which is —ip"(0), and a handle 
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on this can be obtained by choosing ip carefully. The relay 
receives the sum of the two integers, which is independent 
of the individual bits X and Y (of A and B respectively). 
However, the XOR of the two bits can be recovered at R with 
probability 1. This is done by simply mapping the received 
integer W to 1, if W is odd, and if W is even. To gain a 
better understanding of the construction of the rvs, let us see 
an example. 

As recorded previously (see Table 1 of [8 Section XV.2]), 



the probability density function / given in ( 12 1 has character- 
istic function 

ip(t) = max{0, 1 - 2\t\/n}. 

This function is plotted in Figure [3] 
From (fl~3)>-([T5)), we have 



p(k) 



^(1 - cos kn/2) 



if k = 
if k ^ 



Po(k) 



and 



Pi(*0 



if k = 

if k is odd 

if jfe = 2 (mod 4) 

otherwise 

if Jfe = 

if k = 2 (mod 4) 
otherwise 



-4m if k is odd 



otherwise. 



(17) 



(18) 



(19) 



Note that the pmf p in (17i does not have a finite second 
moment, and indeed, ip is not differentiable at 0. However, it is 
possible to construct compactly supported, twice-differentiable 
characteristic functions ip. We give here an explicit construc- 
tion of such a characteristic function. 

Consider the density (from 00 Section XV.2, Table 1]) 



/(*) 



2tt 

1— COS X 
7TX 2 



if x = 
if x ^ 



(20) 



which has characteristic function 



f(t) = max{0, 1 - (21) 

The function / has a triangular graph as in Figure [i] except 
that the base is [-1, lj. In particular, f(t) = for \t\ > 1. 

The function g = f * f, where * denotes convolution, can 
be explicitly computed to be 



s(t) = (/*/)(*) = 




t 2 + i 



if |*| < 1 

if 1 < \t\ < 2 (22) 
otherwise 



Proposition 8. The function h(x) = (37r 2 /4) [/(7rx/4)] 2 , with 



f as in {20 M, is a density function whose characteristic function 
is given by 



where g is as in (221. The function ip is non-negative with 
ip(t) — for \t\ > 7r/2. Furthermore, ip is twice differentiable, 
with ip"(0) = -48/ 'it 2 . 

Thus, rvs U and V can be constructed as in Theorem [7] with 

var([/) = var(y) = 48/tt 2 . 

Proof of Proposition [S] The stated properties of the function 
ip can be directly verified from ( 22 1. We will show here that 



h is a density function with characteristic function ip. 

Note first that / defined in (21 1 is also a probability density 
function — it is non-negative and its integral over (-co, oo) 
is 1. By Fourier inversion, its characteristic function is 2irf. 
Therefore, q = f * f is a density with characteristic function 

47T 2 / 2 . 

Now, f 2 is integrable since (f) 2 is integrable (see corollary 
to Theorem 3 of Section XV.3 of H). Hence, h(x) = 
f 2 (x) I (J^° f 2 (y) dy) is a probability density function. The 
integral in the denominator can be explicitly evaluated by 
means of the Plancherel identity: 



f(y)dy 



1 

27 



{f(t)} 2 dt 



1 

2^ 



5(0) 



1 

3^' 



the last equality following from (22 1. Thus, h(x) = 3irf (x). 

From the fact that Att 2 f 2 is the characteristic function of g, 
it follows by Fourier inversion that h has characteristic func- 
tion given by ip(t) = |g(t). Hence, h(x) = (it / A)h(irx / A) is 
a density function with characteristic function i/j(4t/n), which 
is precisely ip(t). □ 

Remark 9. It is even possible to construct compactly sup- 
ported C°° characteristic functions. Constructions of such 
functions are given in K19S . In fact, HI 911 constructs com- 
pactly supported characteristic functions ip such that the 
corresponding density functions f are even functions satisfying 
liniz-^oo x m f(x) — for all m > 0. This implies that all the 
absolute moments J_ oc> \x\ m f(x)dx exist, and hence, ip is a 
C°° function (see p. 512]). If such a characteristic function 
ip is used in the construction described in Theorem then 
the resulting 7L-valued rvs U, V will have pmfs pu(k),pv{k) 
whose tails decay faster than any polynomial in k. To be 
precise, lim^oo k m pu(k) = lim^oo k m pv(k) — for any 
m > 0. 

The above remark shows that we can have Z-valued rvs 
U,V satisfying properties (S1)-(S3), with pmfs decaying 
faster than any polynomial. However, the rate of decay cannot 
be much faster than that. Indeed, it is not possible to construct 
Z-valued rvs with exponentially decaying pmfs that satisfy 
properties (S1)-(S3). Define a pmf p(k), k € Z, to be 
light-tailed if there are positive constants C and A such that 
p(k) < CA~' fc ' for all sufficiently large \k\. 

Proposition 10. Properties (S1)-(S3) cannot be satisfied by 
integer-valued rvs U, V having light-tailed pmfs. 

Proof^ Suppose that U,V are Z-valued rvs satisfying (SI) 
and (S2). Using ip v = (l/2)(<p v \ + ip v \{) and Lp v = 

3 This proof was conveyed to the authors by Manjunath Krishnapur. 
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(l/2){ipv\a + <Pv\i) m 48}' we readily obtain 



<Pu\ = <Pu\i and <Pv\o = <Pv\v 



(23) 



If U, V have light-tailed pmfs, then pu\ a and pv\ a , a G 
{0, 1}, must also be light-tailed, since pu\ a < 2piy and py\ a < 
2jv- The key observation is that the characteristic function of 
a light-tailed pmf is real-analytic, i.e., it has a power series 
expansion 2~^^Lo c nt n > with c n € C, that is valid for alH £ K 
ifTTI Chapter 7]. Thus, (fu\a an d <fiv\a, f° r a € {0, 1}, are 
real-analytic. It is an easy fact, provable by comparing power 
series coefficients, that if functions g and h are real-analytic 
and g 2 = h 2 , then either g = h or g = — h. Applying this 
to (23 i, we find that <pxj\o = ±<pu\i, and similarly for V. In 
fact, since cpu and (py cannot be identically 0, we actually 
have ipu\Q = fu\i = <Pu, an d similarly for V. This implies 
that U JL X and V JL Y. From this, and (SI), we obtain that 
U + V JL X © Y, thus precluding (S3). ■ 

D. Extension to Finite Abelian Groups 

A close look at the modulations in the previous section 
reveals the following structure: points from the lattice 2Z and 
its coset (in Z) 1 + 2Z are chosen for sending bit and 1, 
respectively, according to a carefully chosen probability distri- 
bution given by Theorem [7] We shall extend the construction 
described in the previous subsection to d dimensions, thereby 
having a scheme by which properties (S1)-(S3) are satisfied 
in the absence of noise. 

A lattice A is said to be nested in a lattice A if A C A. We 
will refer to Ao as the coarse lattice and A as the fine lattice. 
In essence, in the construction discussed earlier, we had a fine 
lattice A = Z and a coarse lattice Ao = 2Z with the quotient 
group A/Ao consisting of the two cosets 2Z and 1 + 2Z 
making up the probabilistically-chosen modulation alphabet. 
Note that the quotient group in this case is isomorphic to Z2, 
and this enables recovery of the XOR of the bits (addition in 
Z2) from integer addition of transmitted symbols modulo the 
coarse lattice. Also, the choice of the probability distribution 
(from Theorem [JJ) ensures that the choice of coset at each 
transmitter is independent of the integer sum at the relay. 

Now, any finite Abelian group G can be expressed as 
the quotient group A/A for some pair of nested lattices 
A C A. Indeed, any such G is isomorphic to a direct 
sum of cyclic groups: G = Zn x © Ztv 2 © • • • © Zjv d for 
some positive integers Ni, N%, . . . , ifTOl Theorem 2.14.1]. 
Here, Zjy- denotes the group of integers modulo- Nj. Taking 
A = Z d and Ao = AZ d , where A is the diagonal matrix 
diag(A l7 N 2 , ■ ■ ■ , N d ), we have G = A/A . So, the finite 
Abelian group case is equivalent to considering the quotient 
group, i.e., the group of cosets, of a coarse lattice Ao within 
a fine lattice A. These lattices may be taken to be full-rank 
lattices in R d . 

As an example, let N > 2 be an integer, and let Zjy = 
{0, 1, . . . , N — 1} denote the set of integers modulo N. Let 
X,Y be iid random variables uniformly distributed over Zjv, 
and let X © Y now denote their modulo- N sum. Similar to 
the binary case discussed so far, given a non-negative real 
characteristic function -0 such that %jj(t) — for |i| > ir/N, 



we can construct Z-valued random variables U, V, jointly 
distributed with X, Y, for which properties (S1)-(S3) hold. In 
this case, the finite Abelian group can be taken as the group 
of cosets of the coarse lattice AZ within the fine lattice Z, 
which is isomorphic to Z^r. 

For a full-rank lattice Ao in M. d , let V(Aq) denote the interior 
of the fundamental Voronoi region of Ao, i.e., V(Aq) is the 
set of points of M. d for which is the unique closest point of 
the lattice A. As defined earlier, the dual lattice is defined as 
Ao = { v <= Rd '■ x7 V e Z, Vx e A }, and the Fourier dual 



is Ar 



2nA* 



Let Ao be a sublattice of A of index N (i.e., the number 
of cosets of A in A is N). List the cosets of A in A as 
Ao, Ai, . . . , Ajv-i, which constitute the quotient group G = 
A/Ao. As before, © denotes addition within G. 

Consider rvs X, Y uniformly distributed over G. We wish 
to construct rvs U, V taking values in A, having the properties 
(S1)-(S3). The following theorem shows that this is possible. 
Here, Kl + denotes the set of all non-negative real numbers. 

Theorem 11. Suppose that if> : M. d — > R + is the characteristic 
function of a probability density function f : M. d — > R + , such 
that ip(t) — for t ^ V(Ao), where Aq is the Fourier dual of 
A . For j = 0, 1, . . . , N — 1, define the pmf Pj as follows: 



Pi(k) 



jdetA|/(k) 



if k G Aj 
otherwise. 



(24) 



Finally, define a random variable U (resp. V) jointly dis- 
tributed with X (resp. Y) as follows: if X = Aj (resp. 
Y = Aj), U (resp. V) is a random point from Aj picked 
according to the distribution pj. Then, the resulting A-valued 
rvs U, V satisfy properties (S1)-(S3). Additionally, if if) is twice 
differentiable, then E||C/|| 2 = E||y|| 2 = -V 2 ip{0), where 
V 2 = 53y=i d 2 is the Laplacian operator. 

As with Theorem [JJ and XOR, the above theorem allows 
for secure computation at the relay of the group operation 
X © Y. The theorem is proved in a manner completely 
analogous to Theorem [7J the main difference being that the 
multi-dimensional Poisson summation formula is used in place 
of i9). The interested reader is directed to Appendix-A for the 
proof. 

Constructing compactly supported twice-differentiable (or 
even C°°) characteristic functions ip : R d — >• R + , d > 1, 
is straightforward, given our previous constructions of such 
functions from M to M + . Suppose that for i = 1, 2, ...,t, 
ipi : K — > R + is the characteristic function of a random 
variable Xj, such that ipi(t) = for \t\ > Aj, with Aj > 0. 
Then, ip(ti, . . . ,td) = Yli=i V'i(^) is the characteristic func- 
tion of the random vector X — (X l5 . . . , X^). Note that ip 
is compactly supported: ?/>(t) = for t ^ J^J < _ 1 ( — A,-, A^). 
Moreover, if the ipi$ are twice-differentiable (or C°°) for all 
i, then so is ip. 

Our objective is to design codes (as defined in Definition [TJ) 
for secure computation at the relay. With the construction 
described above, the rate of the code depends on the number 
of cosets, N, of Ao in A. For a given average power con- 
straint, the system designer is usually faced with the task of 
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maximizing the rate. Equivalently, for a given rate, the average 
transmit power must be kept as small as possible. The transmit 
power is equal to the second moment of U (or V). Therefore, 
while any characteristic function tp supported within V(Aq) 



suffices for the construction of Theorem 11 we must use a tp 
for which — W 2 tp(0) is the least among such tp's. This would 
yield random variables U and V of least second moment (and 
hence least transmit power), having the desired properties. The 
transmit power can be made as small as desired by simply 
scaling down the lattice. Suppose that the random variables U 
and V, distributed over a fine lattice A, had second moment 
P. Then, for any a > 0, the random variables U' = all and 
V' — aV, distributed over a A :— {az : z e A} have second 
moment a 2 P. Choosing a small enough a would suffice to 
satisfy the power constraint. However, as we will see in the 
following sections, when we have to deal with the additive 
noise in the MAC channel, it is is not possible to scale down 
the lattice arbitrarily if the probability of error is to be made 
small. It turns out that for a given lattice, the second moment 
(which depends solely on the choice of tp) cannot be made 
arbitrarily small. Indeed, the following result, adapted from 
gives a precise and complete answer to the question of 
how small — V 2 tp{0) can be for a characteristic function tp 
supported within a ball of radius p in R d . 

Theorem 12 (g), Theorem 5.1). Fix a p > 0. If tp is a 

characteristic function of a random variable distributed over 
R d such that tp(t) = for ||t|| > p, then 

-V 2 ^(0) > (25) 



with equality iff ip(t) 
oj d (t) = 7dOi(2||t||j<i- 
for ||t|| > 1/2, and 



tp(t/p) for ip = u d *uj d . Here, 
for ||t|| < 1/2 and w d {t) = 



LOd*uj d {t) = / uj d {r)uj d {t + r)dr 



denotes the folded-over self convolution of u d , with UJ d (t) 
denoting the complex conjugate of uj d (t). Also, jk denotes 
the first positive zero of the Bessel function Jk- Furthermore, 
for t € R, 

n d (t) =r(d/2)(-j 2 J«_2{t) 



and 



4jt| 



■K d / 2 T{d/2)Ji (jfca)' 



where T(-) denotes the Gamma function. The density f cor- 
responding to the minimum-variance -0 is given by /(x) = 
p d f(px), where 



- / n d (||x||/2) 



(26) 



where 



Cd 



4 d 7r d / 2 r(d/2) ' 



X e 




Relay R 



w' Coset Aj ffi At 
decoding = X ffi Y 



Fig. 6. The operations performed by the user nodes and the relay. 



IV. The Gaussian Noise Setting 



The modulation scheme of Section |III-D| extends in a very 
natural way to a lattice coding scheme that can be used for 
secure and reliable computation over a Gaussian MAC channel 
described by 



w = u 



n. 



where z is zero-mean iid Gaussian noise with variance a 1 . 
The coding scheme that we use is as described below. This is 
largely based on the lattice coding schemes in Q, [ 1 2 1 . 
Code: A (A^ , ) nested lattice code consists of a pair of 
full-rank nested lattices Aq C A^ in K d . The computation 
is performed in the group = A^/A { Q d \ whose = 
lA^/A^I elements are listed as A , A 1; . . . ,AjvM-i- 
Encoding: We have messages X, Y at nodes A, B that are 
independent rvs, uniformly distributed over <G^. We first 
pick a characteristic function tp supported within V(A^), 
as needed in Theorem 11 We impose the restriction that ip 
be supported within a ball centered at with radius equal 
to the packing radius, r pac ^(A^), of the dual lattice A^f\ 
Now, the packing radius is, by definition, the largest radius 
of a ball centered at that is contained within V(Aq ). So, 
if i/j(t) = for ||t|| > r pac k(Ao), then ^(t) is certainly 
supported within V(A ). If X = Aj, node A transmits a 
random vector u e Aj picked according to the distribution 
Pj of Theorem 11 Similarly, if Y = Afc, node B transmits a 



random vector v£ At picked according to the distribution pp.. 

2 N( d \ 

The average transmit power per dimension at each node is 
p(d) _ -V j/>(0) ^ as j n Theorem [ill Thus, from Theorem 12 

ow 

(27) 



The rate of transmission from A or B is = i lo 

. __mension at t 
-v 4>(o) ^ as j n jlieorem [ll| Thus, from Theorem 
we see that an average transmit power per dimension as 

as 

,•2 



p(d) 



4jl 



p 2 d 



with p = r pac k(AQ <i - ) ), is achievable by a suitable choice of ip. 
It was shown in ||2TI (see also (5,1) that the first positive zero 
of the Bessel function Jk can be written as jf. = k + ak 1 ^ 3 + 
0{k^ 1 / i ), where a is a constant independent of k. Therefore, 



(28) 



where o d (l) — > as d — > oo, is achievable by a suitable choice 



of ip using Theorem 12 



Decoding: The relay R receives w = u + v + z, where 
z is a Gaussian noise vector with d independent AT(0, a 2 ) 
components, which are all independent of u and v. The relay 



10 



estimates Aj Afc to be the coset represented by the closest 
vector to w in the lattice A, which we denote by Qa(w). 
Security: Since the noise z is independent of everything else, 



Theorem 11 shows that w is independent of the individual 
messages X, Y. Hence, even in the noisy setting, perfect 
security continues to be guaranteed at the relay for any choice 
of the nested lattice code. 

Reliability and achievable rate: Let denote the probability 
that Qa(w) is different from the coset to which u + v 
belongs. From our definition of achievable power-rate pairs 
in Section |nj a pair (V,TZ) is achievable if for every e > 0, 
there exists a sequence of nested lattice codes ( A^ , Aq^ ) for 
which the following hold for sufficiently large d: > 1Z— e, 
p{d) < p + e and >q$ < e. 



A. Lattice properties 

We have seen that secure computation can be guaranteed 
with any nested lattice code. However, for reliable computa- 
tion, we will require the sequence of nested lattices to satisfy 
certain properties, which we define here. A more detailed 
treatment of the following notions can be found in e.g., 0, 
0,0. 

The effective radius of a lattice A, denoted by r e s(A), is the 
radius of a d-dimensional sphere that has the same volume as 
that of the fundamental Voronoi region of A. The covering 
radius of a lattice A, denoted by r cov (A), is defined as the 
radius of the smallest ball centered at that contains V(A). 
A sequence of lattices, A^ d \ indexed by the dimension d, is 
said to be good for covering if 

r™ v (A( d )) 
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Fig. 7. Illustrating the Qa (-) and the [.] mod Ao operation. The black and 
blue points denote the fine lattice (A) and the larger, blue points are the 
coarse lattice (Ao) points. The dotted lines enclose the Voronoi regions of the 
corresponding points in Ao. 



dimension d. Lattices that satisfy the above property are called 
good for AWGN channel coding. 

In order to find achievable rates, we assume that the lattice 
code/sequence of nested lattices (A (d) , A Q d) ), with A { Q d) C A (d) 
for all d, satisfies the following properties: 

(GC1) The sequence of coarse lattices, (Aq^) is simultaneously 

good for covering and AWGN channel coding. 
(GC2) There exists a (3 > such that 



1 



lim ^r pack (A^)roov(AD = P 



(32) 



lim 

d^oo r ef f(Aw) 



1. 



(29) 



Given a lattice A, let r pac k(A) denote its packing radius. A 
sequence of lattices is said to be good for packing if 



r Vdc(AW) i 
lim — — > - 

d^oo r eff (A( d )) ~ 2 



(30) 



Consider an AWGN channel with noise vector n having 
variance a 2 . It was shown in |15| that there exists a sequence 
of lattices A^ in R d , such that, the probability that the 
noise vector lies outside the Voronoi region of a lattice point 
satisfies, 



Pr[n £ V(A^)] < e - rf 0MM)+°<*(i)) 

vol(v(A (d) ')' 



where o<j(l) — > as d —> oo, and /i 



-. Also, 



Aj 

167re ' 
- ) 1 



87re < p 

Eu(j*)={%hi£, Ane<p<8ire (31) 

/- - | In 2ne < p < 4ne 

Suppose such lattices are used as codebooks for transmission 
over an AWGN channel. Then, as long as [i > 2ire, i.e., 

vol(V(A( rf ))) 2/<i 

y 9 ' > 27T6 

G 

the probability that a lattice decoder decodes to a lattice point 
other than the transmitted point decays exponentially in the 



where A^ denotes the Fourier dual lattice of A^\ 
(GF1) The sequence of fine lattices, (A (d) ) is good for AWGN 
channel coding. 

It was shown that there exist nested lattice pairs that satisfy 
(GC1) and (GF1) 0. We will show that there exist lattice 
pairs that satisfy all the three properties. But before that, we 
will characterize the rate-power region that is achievable using 
lattices that satisfy properties (GCl)-(GFl). 

B. Achievable Power-Rate Region 

In order to find the achievable power-rate region, we use 
the theory developed in 0, lfT2l . ifTJl . Let us look at the 
decoding at the relay in more detail. As described earlier, the 
relay finds the coset represented by the closest vector to w 
in A, and this is taken to be the estimate of Aj ® Afc. As 
before, for w £ M. d , let Qa( w ) denote the closest point in 
A to w. Note that the same coset is represented by Qa([w] 
mod Ao), where [w] mod Ao denotes the point w — Qa (w). 
Here, Qa ( w ) denotes the vector in the coarse lattice A 
which is closest to w. These operations are illustrated in Fig. [7] 
Similarly, the individual cosets Aj and A^ can be represented 
by their respective coset representatives within the fundamen- 
tal Voronoi region of the coarse lattice. Let x = [u] mod Ao 
and y = [v] mod A be the coset representatives of Aj and 
A/, respectively. Then, Aj © A& has [x + y] mod Ao as its 
representative. Therefore, in terms of the notation introduced 
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[Q A (-)] mod A 
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Fig. 8. MAC phase of the bidirectional relay and equivalent MLAN channel 
representation 



above, the estimate of Aj © made at the relay is the coset 
represented by w = [Qa(w)] mod Ao, where Q\(w) repre- 
sents the closest point in A to w. However, this is also equal 
to w = [Qa([w] mod Ao)] mod Ao. Let w = [w] mod Ao. 
Then, w = [Qa(w)] mod Ao. As a consequence of the 
transmitter-receiver operations, the "effective" channel from 
x,y to w can be written as follows: 

w = [u + v + z] mod Ao 

= [([u + v] mod Aq) + z] mod A 
= [([x + y] mod A ) + z] mod A 

A channel of the above form, w = [x+n] mod Ao, is called 
a modulo lattice additive noise (MLAN) channel (6). Hence, 
for the relay, the effective channel appears like a point-to- 
point transmission over an MLAN channel with the transmitted 
vector being [x + y] mod Ao. This is illustrated in Fig. [8] We 
will use the properties of the MLAN channel to determine 
achievable rate regions for our coding scheme. Indeed, the 
following proposition follows easily from the results in [6| and 
[12|. For completeness, a proof is provided in Appendix B. 
Let r cov (A) denote the covering radius of the lattice A. 

Proposition 13. Let M > be a constant. A rate 1Z = 
\ log 2 ( -T- ) is achievable with perfect secrecy by a sequence of 



M) 



nested lattice pairs (PS d \ A ^) satisfying r C0V (Ag 
for each d. 

In order to achieve the above rate, {hS d ^ , Ag ) must satisfy 
(GC1) and (GF1) mentioned in Section |IV-A In any com- 
munication system, is always desirable to maximize the rate 
1Z while keeping the average transmit power per dimension, 
V to a minimum. For our problem however, for a given 
coarse lattice A , how small the average transmit power can 
be made is governed by the requirement that the characteristic 



function fj needed in Theorem 11 must be supported within 
V(Aq). From (28 I, we have the average transmit power being 



dependent on the packing radius of the Fourier dual of Ao. 



On the other hand, Proposition 13 shows that, in the large 



d regime, the achievable rate for a well-chosen (A^Ag^) 
pair is governed by the covering radius, r cov (A^). Suppose 
the sequence of lattice codes satisfy (GCl)-(GFl), for some 
j3 > (j3 as defined in property (GC2)). Take the constant 
M in the proposition to be /3 2 "P, for a constant V > 0, so 
that r cov (A d) ) = fisfdV. We then find, via (28 1 and (32 1, that 

5Vck 2 ( A o d) ) 1 /' p and hence p[d) f > - Hence, given an 
e > 0, P (d) < V + e for sufficiently large d. 

Furthermore, from Proposition [13] as long as 1Z < 
| \og 2 (/3 2 P /a 2 ), the average probability of decoding error 
goes to 0, as d —> oo. Therefore, there exists some subse- 
quence of (A( d \ A ( d) ) for which R.W > 11- e and r] en < e for 
sufficiently large d. According to the definitions in Section p] 
we have the following lemma: 

Lemma 14. The point (V, \ \og 2 (l3 2 V /a 2 )) in the power- 
rate region is achievable with perfect secrecy using the lattice- 
based coding scheme described in Section [7^ 

What remains now is to establish the existence of nested 
lattices that satisfy properties (GCl)-(GFl). 



V. A Random Ensemble of Lattices and Its 
Properties 

In H, it was shown that there exist sequences of nested 
lattices that satisfy (GC1) and (GF1). The coarse lattices that 
were used in [6| came from a random ensemble obtained by 
randomly picking a (d, k) linear code [18| over Z 9 , the set of 
integers modulo-g, q prime, and applying Construction- A [3] 
on the code. It was shown in [7 1 that such an ensemble contains 
lattices that satisfy these properties. For completeness, we 
describe the construction of the ensemble. 

A. The (d,k,q) Ensemble 

Let d and k be positive integers with k < d, and q be a 
prime number. 

1) Choose a k x d matrix G uniformly at random over Z^ xd . 
This is done by choosing each element (there are dk of 
them) of G uniformly over Z q , and independently of the 
other entries. Note that G need not be full-rank. However, 
the probability that G is nonsingular goes to 1 as d — k 
tends to oo [7|. The matrix G is the generator matrix of 
some linear code C(G). 

2) Apply Construction A on the code generated above. This 
is done as follows: 

• The codebook generated using G is C(G) = 
{(G T y) mod 9 :ye Z k q }. 

• The codebook is then scaled so that the code points 
are restricted within the rf-dimensional unit cube: 
C = (l/g)C(G) = {(l/g)x : x e C(G)}. The 
points in the set C' lie on the vertices of a q x q 
rectangular grid sitting within the unit cube. 

• The lattice is obtained by repeating these points over 
the entire space, R d . i.e. A(C) = C + Z d := {c + x : 
c G C',x e Z d }. 

Following the terminology used in Q, we will henceforth 
call this a (d, k, q) ensemble. Also, from the construction, it 
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is clear that Z d is a sublattice of A(C). More detail regarding 
Construction A lattices can be found in Q. 

We now describe the construction of the ( A^ , Ag ) nested 
lattice codes. The coarse lattice A is chosen from a (d, k, q) 
ensemble, for d = 1,2, with k and q being appropriately 
chosen functions of d. An appropriate choice of k and q will 
ensure that the ensemble contains lattices that satisfy (GC1). 
In fact, it was shown in [7] that as long as k and q are chosen 
in the right manner, a randomly picked lattice from a (d, k, q) 
ensemble is good for covering, packing and AWGN channel 
coding, with probability tending to 1 as d tends to infinity. 
A sequence of lattices (A^) from this ensemble, that satisfy 
(GC1) is chosen as the sequence of coarse lattices. Suppose 
we have fixed (Ag^). Let A^ be the lattice generator matrix 



be a prime such that 



T{d/2 + 1) < qk < T(d/2 + 1) 



then A^ is good for covering and packing, with proba- 
bility approaching 1 as d — > oo. 
• If in addition, fj, < 1/2, then, A^ is also simultaneously 
good for AWGN channel coding for additive Gaussian 

noise with variance a 2 = (— ^r^A^H , with proba- 
bility approaching 1 as d — > oo, for the p as fixed initially. 

It can be verified that for a lattice A^ that satisfies the 

\fdr n 



hypotheses of Theorem 
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of Ag , for d = 1, 2, .... For this choice of (A^ 1 '), we construct 
another ensemble of lattices from which we pick the fine 
lattices (A^). This consists of two steps. 

• First, consider a (d,ki,qi) ensemble of Construction A 
lattices, with k\ and q\ possibly different from k and q, 
and qi being prime. As mentioned earlier, every lattice in 
this ensemble contains Z d as a sublattice. If the generator 
matrix of a lattice A^ in this ensemble has full rank, the 

number of cosets of Z d in A* is q^ 1 . 

• The lattices in the (d,k±,q%) ensemble are subjected 
to a linear transformation by the matrix (A^) T , the 
generator matrix of the coarse lattice, i.e., A^ = 
(A^) T Af } := {(A<«0) T y : y G A ( f d) } . The fine 
lattices are chosen from this resulting ensemble. 

It was shown in |[T2"1 that as long as q± is chosen so that 
d/qx — > as d — > oo, a lattice picked randomly from 
the ensemble obtained after the second step will be good 
for AWGN channel coding, with probability tending to 1 as 
d — > oo. (A proof is provided in Appendix B of [12].) Hence, 
we can choose the sequence of fine lattices to satisfy (GF1). 

Ad) 



< r eff (AW) < 2Vdr 
Moreover, a lattice that is good for AWGN coding for a noise 
variance of a 2 is also good for AWGN channel coding for 
any noise variance less than a 2 . Therefore, the "good" lattices 
obtained from Theorem Q3] can be used as codes for AWGN 
channels with noise variance less than ( -fminj ■ 

In summary, we can always choose a sequence of lattice 
pairs that satisfy (GC1) and (GF1). We now have to show the 
existence of coarse lattices that satisfy (GC2). Before doing 
so, we discuss some properties of Construction A lattices. 

B. Properties of Construction A Lattices 

Proposition 16. Suppose that G is a kxd generator matrix of 
a (d, k) linear code C over Z q , q being prime, and G having 
the form 

G = [ I* B ] , 

where Ik denotes the k x k identity matrix. Let A(C) be the 
lattice obtained by employing Construction A on the code C. 
Then, the matrix 



A 



Ik 




B 

ql(d-k) 



(33) 



Moreover, since A = {A^) T Z d := {(A( d )) T x : x e Z d } ; s a generator matrix for the lattice A(C). 



and = (A^) T A ( f d) , and Z d C A ( f d> , we can see that 



V 



/ 



A {d) C A^). Here A {d) is a lattice in the (d, ki,qi) ensemble. 
The number of cosets of in A^ will be q^ 1 (provided 
that the generator matrix of Ay^ is full-rank) and hence, the 
rate of the ( A^ , A (d) ) code will be 



A proof of the above proposition is provided in Appendix C. 
It can be shown in a similar manner that if G has the form 

G = [ B I fc ] , 

then, the following is a generator matrix for A(C): 



log 2 (9i) 



A = 



B 

q\d-k) 



h 
o 



By choosing qi and ki appropriately, the rate can be varied. 

As mentioned earlier, the choice of k and q affect the 
properties of the ensemble of coarse lattices. In this regard, we 
state a theorem from [7|, which we will need subsequently. 

Theorem 15. Theorem 5, Let p > 1 be fixed arbitrarily. 
Define 

P 2 1 



Lemma 17. Let C, G, A(C) be as in Proposition 16 Then, 



the dual of A(C), denoted by A*(C), has generator matrix 





32Eu(27rep 2 )' 4 



Proof: Consider, 



A(A* 



where Ejj{-) is the Poltyrev exponent, as defined in (371. Let 
A' be chosen from a (rf, k,q) ensemble, and A^ = V dA'. 
• If k (as a function of d) satisfies k < pd for some < 
p < 1 but grows faster than log 2 d, and q is chosen to 



1 

<1 
1 

q 



L 
o 

qlk 
o 



qlk 



B 

ql(d-k) 
o 

qi(d-k) 



qh 
o 



(34) 



-B 
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Similarly, (A*) T A = I d . ■ 
Since a permutation of the rows of a generator matrix of a 
lattice also yields a valid generator matrix for the same lattice, 



— B T 
qlk 



l (d-fe) 





is also a generator matrix for A*(C). If C 1 - denotes the dual 
code of C, then C 1 - has a generator matrix [18| 



G = [ B 2 



l (d-fc) 



Therefore, we can conclude that the dual lattice, A*(C) 
is a q-scaled version of the lattice obtained by applying 
Construction-A to C^. In other words, A*(C) = qA{C x ). 
Moreover, if the generator matrix is full-rank, then A(C _L ) 
belongs to a (d,d — k, q) ensemble. Therefore, from Theo- 



rem 



15 



we can say that a randomly picked A(C ) is good for 
packing and covering with probability tending to 1 as d — > oo, 
as long as d — k < [id for some < jx < 1, and d — k 



grows faster than log d. From ( 29 1 and ( 30 1, we see that the 



properties of covering and packing goodness are invariant to 
any scaling of the lattices. Therefore, if A(C ) is good for 
packing and covering, then qA(C ), and hence A*(C) is also 
good for packing and covering. Since the set of packing and 
covering-good lattices forms a high probability set for large 
d, by the union bound, we can argue that if k = \id for some 
/i < 1/2, then a randomly picked lattice is good for covering, 
packing and AWGN coding, together with the property that its 
dual is good for packing and covering (with probability going 
to 1 as d —> oo). We record this in the form of a corollary. 

Corollary 18. Let A' be a lattice randomly chosen from 
a (cJ, q) ensemble, with d, k satisfying the hypotheses of 
Theorem [75] and k — [id, for some < [i < 1/2. Let 
A = \ZdA'. Then, with probability approaching 1 as d — > oo, 
A is good for covering, packing and AWGN channel coding, 
and in addition, the dual lattice A* is simultaneously good for 
packing and covering. 

Theorem 19. There exists a sequence of lattices that simul- 
taneously satisfies properties (GC1) and (GC2). 



Proof: From Corollary 18 we know that there exist 
sequences of lattices that are good for covering, packing and 
AWGN channel coding, with the dual lattices also being good 
for packing and covering. Such lattices can be chosen from a 
(d, k, q) ensemble, with k = [id for some < [i < 1/2. 

Let us choose (A^) to be a sequence of lattices that satisfies 
the above properties. This sequence of lattices satisfies (GC1). 
For ease of notation, denote by r e ff, the effective radius of 
A( d \ The index, d, in has been dropped but it must 
be understood that this is a function of d. Let denote 
the (d,k) code over Z q that generates A^ d '. The number of 
codewords in CW is equal to q k , and this is equal to the 
number of distinct points of A within a e?-dimensional cube 
of side \fd. Equivalently, since contains VdZ d as a 

sublattice, this is equal to the ratio of the volume of a d- 
dimensional cube of side \fd to that of a d-dimensional sphere 



of radius r e g. 

gfc = rfrf / 2 r(d/2 + i)) 

( d 



d d / 2 Vdn 



\ 27rer, 



eff 



d/2 



where the second step uses Stirling's approximation, and 0^(1) 
is a term that approaches as d — > oo. Since k = [id, 

(p = d 1/2 (dn)^ ^—A—^j V2 (1 + 0d (l)) 1/d 

Let A^* denote the dual of A^ d \ and r eff * denote the effective 
radius of A (d) *. Let A(C (rf)J -) be the lattice obtained by 
applying Construction-A on the dual of C^ d \ i.e., on 
As remarked earlier, A(C^ ± ) comes from a (d,d — k,q) 
ensemble. From Lemma 
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A( d )* = (q/Vd)A(CW x ), where 
the 1/Vd appears because the lattice A is obtained from 
A' by scaling by a factor of \fd. Therefore, (d/q)A^* = 
VdA{C {d ^) will satisfy 



d/2 



,d-k 



= Vdjrd d / 2 



(r eff (fAW*) 



(l + o«l(l)) 



where o d (l) -> as d -t oo. But r eff (^A (d) *) = |r eff *, and 
hence 

Rearranging, 



( d — 



d/2 



(l + o d (l)) (35) 



(dTT) 



--(l + o d (l)) 1/d 



(36) 



Let the covering radius of A^ be r cov (A^^) = a(d)r e ff. 
From the definition of the covering radius, a(d) > 1 for all d. 
Moreover, since the sequence of lattices is good for covering, 
a(d) — > 1 as d — >• oo. Also, let the packing radius of A^* be 
^pack(A^ d '*) = 7(d)r e ff*. From the definition of the packing 
radius, 7(d) < 1 for all d. Again, since the dual lattice is good 
for packing, lim^co 7(d) > 1/2. Therefore, we have, 

rcov(A^)rpack(A^*) = a(d) 7 (d)r eff (A)(d7r)( 1 / 2d ) -J== 

y/2ire 

x (l + o d (l)) 
= a(d)7(d)r eff (A)(d7r)( 1 / 2<i )(d7r)( 1 / 2d ) 
d 1 ..... 



V27rer e ff(A) V27re 
And hence, 

r C ov(A( £i ))r pack (A( £i )*) (1/d) 1 

j = a{d)-/(d)(dTry 1 ' d > — (1 + 0d (l)) 

(37) 

Therefore, as d — > 00, the above expression converges to a 
value greater than or equal to 1 /Aire. Hence, we can conclude 
that (A^)) also satisfies (GC2), with the j3 in (GC2) being ^. 

■ 

We have shown that there exists a sequence of coarse 
lattices that satisfy (GC1) and (GC2), with /3 = From 
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the discussion in Section [V-A| we see that the fine lattices can 
be chosen to satisfy (GF1). Hence, we now have a sequence 
of nested lattices that satisfy (GCl)-(GFl). Therefore, from 
we can conclude that the point (V, \ log 2 ( 4 ? a )) 



Lemma 
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is achievable, concluding the proof of Theorem [T] 



Appendix A 



We give here a proof of Theorem 11 We are given 
an index-A sublattice A of the lattice A. It should be 
noted that (det A )/(det A) = N [2. Theorem 5.2]. Let 
Aq, Ai, . . . , Ajv-i denote the N cosets of Ao in Z d . These 
constitute the elements of the quotient group G = Z d /Ag. 

Suppose that X, Y are iid random variables, each uniformly 
distributed over G. For each j £ {0,1, . . . N — 1}, let pj be a 
pmf supported within the coset Aj, so that Pj(k) — for k ^ 
Aj. We define a random variable U (resp. V) jointly distributed 
with X (resp. Y) as follows: if X — Aj (resp. Y = Aj), 
U (resp. V) is a random point from Aj picked according to 
the distribution pj. Then, U and V are identically distributed 
with pu = p v = jjYsiLo 1 Pi- Let fu, <PV and <p jt j = 
0, 1, . . . , N — 1, be the characteristic functions corresponding 
to pu, pv an d Pj, j = 0, 1, . . . , N — 1, respectively. We have 
the following straightforward generalization of Lemma [3] 

Lemma 20. Suppose that tpufv — <Pj<Pv = ^uVj f or j = 
0, 1, . . . , N — 1. Then, the random variables (U, V, X, Y) with 
joint pmf given by 

PwxY^A^Aj) = (l/N)(l/N) Pi (k)pj(l) 

for k, 1 £ A and A t , Aj £ G 



(38) 



have properties (L1)-(L3). 



We will now construct the characteristic functions ipj that 
satisfy the above lemma. Let / be the (continuous) probability 
density function corresponding to the compactly supported 
characteristic function ip in the hypothesis of Theorem 11 
The function / can be retrieved from ip by Fourier inversion: 

/« = / mz- 1 ^ dt 



(2w) d 
1 



V>(t) e - J<t < x> dt 



(39) 



Note that each coset Aj can be expressed as Uj + Ao for some 
Uj e A. We set 



nGAo 



for all £ G R d . Then, by Proposition |6] we have that pj is 
supported within Aj, and 



Pj(k) = (det A ) /(k) for all k e Aj 



Finally, define 



<KC) = $>K + n ) 



(41) 



(42) 



n£A 



for all C G R d . 

We make two claims: 



(i) <p 2 = m - forj = 0,l,...,Ar-l; 

(ii) (p = (fu = (fv- 

Given these claims, by Lemma [20] the random variables U, V 
satisfy the properties (L1)-(L3). 

Both claims follow from the fact that A is a sublattice of 
Aq. (If a lattice T contains a sublattice Tq, then the dual T* 



is a sublattice of T^.) To see (i), we re-write (42 1 as 



^(0 = + n)e- l < n ' u ^ 

n£A 



(43) 



This is possible because, for n £ A = 2ttA* and Uj £ A, we 
have e - *( n ' U;f ' = 1. Comparing (40 1 and (43 1, and noting that 
if) is supported within V(Ao), it is evident that supp((ys) := 
{C : v(C) 7^ 0} i s contained in supp^j) := {C : <Pj(C) 0}- 
Furthermore, for all £ £ supp(</?), we have <p(C) = <Pj{Q- 
Claim (i) directly follows from this. 

For Claim (ii), we note that V(A ) C V(A), since A is a 
sublattice of Ao. Hence, we can apply Proposition ^ to deduce 
that ip is the characteristic function of a pmf p supported within 
A, with 

p(k) = (det A) /(k) for all k £ A. 

Thus, from (|4lJ and the fact that (det A )/ (det A) = N, we 
see that p = jf Ylj=o Pj- ^ n °th er words, p = pu = py, 
which proves Claim (ii). 

It remains to prove that if i/j is twice differentiable, then 
E\\U\\ 2 = -V 2 -0(O). Since U and V are identically dis- 
tributed, we would then also have i?||F|| 2 = — V 2 V'(0). Write 
U = (Ui,...,U d ), so that \\U\\ 2 = Ul + --- + Uj. We want to 
show that E[Uj] = —-^^(Q), for j = 1, . . . , d. For notational 
simplicity, we show this for j = 1. Note that the characteristic 
function of Uj, is given by (p Ul (t\) = (fu(ti, 0, . . . , 0). As 
argued in the proof of Theorem |7j iJjT/j 2 ] = —(p Ui (0). Now, 



ip' Vi (0) = j^z(p v (Q, 0, . . . , 0). From (|42|i, we see that ip v = ip 

. , 0). Therefore, 



in a small neighbourhood around = (0, 0, . 

92 <fu(0) = §^ip(0), and hence, E[Uf] 



desired. 



This concludes the proof of Theorem 1 1 



Appendix B 

Here, we give a proof of Proposition [13] This is essentially 
a modification of the proof by Nazer and Gastpar for the 
compute-and-forward framework in |[T2l . As observed in Sec- 
tion IV-B the relay at w "sees" an effective MLAN channel 



(40) with [x + y] mod Aq as input. Therefore it is sufficient to 
show that a rate of ~ log 2 f^rj i s achievable on the MLAN 
channel using nested lattice codes. 



We use a sequence of ( A^> , A^ ) nested lattice codes, 
indexed by the dimension d, with A^ C A^ d ', for transmis- 
sion, and the receiver uses a lattice decoder, i.e., decodes the 
received vector to the closest point in the fine lattice in terms 
of Euclidean distance, and outputs the coset to which this 
resulting vector belongs. The sequence of lattices are chosen 
so that th ey sati sfy properties (GC1) and (GF1) mentioned 
in Section 



IV-A 



The sequence of coarse lattices (A { d) ) are 
simultaneously good for covering and AWGN channel coding. 
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The fine lattices selected are those which are good for AWGN. Hence, for every e > 0, as long as 
The second moment per dimension of the lattice Aq^ , denoted 



by 



is defined as the second moment per dimension of 



a random variable uniformly distributed over V(A Q d ' > ), i.e., 



.A 



V(A< d) ) 



'A, 



vol(V(A d) )) 



(44) 



For an MLAN channel w = [x+z] mod Ao (with Gaussian 
noise z ~ N(0, <r 2 Id)), the average probability of decoding 
error rf® is upper bounded by the probability that the received 
vector w does not lie in the Voronoi region of x e A (d) . 
Hence, we can write rf d ' < Pr[z <^ V(A( rf ))]. It was shown 
by Poltyrev lfl5l that as long as the sequence of fine lattices 
A( d ) is good for AWGN and satisfies 



vol(V(AW)) 2/d 



> 27re, 



the probability of error is upper bounded by 

e -d{Eu(S,a 2 )+o d {l)) ^ ^ as giyen by Q Since 

the fine lattices we use are good for AWGN, as long as 

vol(V(A< d >)) > (2nea 2 ) d/2 , 

the probability of error approaches as d — » oo. The rate of 
the nested lattice code is given by 



^) = ilog 2 iV=ilo g2 



^vol(V(A(«0) J 



This means that as long as we have 



(45) 



the probability of error goes to zero as d — > 00. We can 
write vol(V(A^)) = (M A c<o/G(A d) )) d/2 [12|, where M A «o 
is the second moment per dimension of the fundamental 
Voronoi region of the coarse lattice, and G(Ag ) is called the 
normalized second moment of the lattice Aq ' . Substituting in 



(45 1, we get, 



< - log 
2 e 



2irea 2 G(A ' 



The sequence of coarse lattices is chosen so that the covering 
radius is r cov (Ao ) = \fdM. 

If the covering radius of the coarse lattice is r cm (A^) = 
\J dM, and the sequence of coarse lattices is good for covering 
and quantization, it can be shown that, for any arbitrary e > 
0, there exists a do large enough, so that for all d > do, 
the second moment per dimension of V(Aq^) can be written 
as [12, Appendix C] 



> 



M 



(46) 



R (d) 



< \ l°g 2 



(47) 



(l + e) 2 27re ( r 2 G(A^ ) ) / ' 

there exists do such that Vd > do, the probability of error is 
upper bounded by e -rf(^c/(<5,rr 2 )+o d (i)) and hence gogs tQ Q 
as d — > 00. It was shown in Q that lattices that are good for 
covering are also satisfy G(A^) —> l/2ne as d —> 00. Using 
this, we conclude that as long as 



K < 2 lo S2 



(48) 



the average probability of error decays to zero as the dimen- 
sion d — > 00. Since we have seen that perfect secrecy is 
achievable with any pair of nested lattices, and the noise is 
independent of everything else, perfect secrecy can still be 
guaranteed at the relay. Hence, we can conclude that a rate 
of \ log 2 is achievable with perfect secrecy using nested 
lattice codes. □ 

Appendix C 

Here, we give a proof of Proposition [16] We want to show 
that A T Z d := {A T y : y e if] = A(C). We first prove that 
A T Z d C A(C). By definition, A(C) = {x e R d : (qx) mod 
q £ C}. Therefore, it is enough to show that (qA T z) mod q £ 
C for every z 6 Z d . Fix a z £ l d . Then, 



(qA T z) mod q — 



h 




B 

[ Ik B f[ Zl . 
+ [ ql(d-k) 
[ Ik B ] T [ Zl . 
(G T z) mod q £ C 



[zi z 2 ... z d ] T mod q 



Zk\ 

[z k +i 

Zkf 



■ ■■ z d \ 
mod q 



mod q 



(49) 



For the converse, define C = {^c : c £ C}. Then, A(C) = 
C + Z d := {c + z : c £ C',z £ Z d }. The set A T Z d forms 
a group under (componentwise) integer addition. Hence, it is 
sufficient to show that C C A T Z d , and Z d C A T Z d . Fix an 
arbitrary c £ C. Let c' = ^c. By definition, there exists a 
x £ 7L k q such that 



c = ( [ Ifc B ] xj mod q 
mod q 



x 
B T x 



'7 





z' 



(B x) mod q 



(50) 



for some z' £ 



7d—k 



Therefore, 



c = 



Ifc 




B 

ql(d-k) 



X 

-z' 



Hence, there exists 



x 
z' 



£ Z fl 
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so that c' = A T z. Therefore, we can say that C C A T Z d . 
Next, consider z e Z d . Let A* be as in Lemma 17 and note 



that A T A* = I d , the d x d identity matrix. Let z' = A*z e 
Z d . Then, A T z' = A T (A*z) = (A T A*)z = z. Hence, we 
can say that for every z e Z d , there exists a z' e Z d so 
that z = A T z, and hence Z d C A T Z d , thus concluding the 
proof. □ 
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